Fuzzing [POC 2024] Pishi: Coverage guided macOS KEXT fuzzing

[weaver]

Description

This presentation will cover Pishi, an innovative method for structure-aware,feedback-driven fuzzing macOS kernel and its kernel extensions. Pishi is a static binary rewriting tool designed to instrument basic blocks in the XNUkernel and its macOS kernel extensions (kexts). It allows you to instrument the XNU kernelat a function, file, or folder level or address ranges. you can instrument everything in the XNU/bsd/net/ directory, all functions in content_filter.c, or just one specific function in the XNU source code, such as vnode_getfromfd. This enables targeted fuzzing. In the caseof KEXTs, you can also target one specific IOKit class or just one or more methods of a class.Similar to Linux and macOS’s KCOV, it collects the coverage and shares it with a fuzzer. You can hook Pishi into any off-the-shelf fuzzers.Pishi includes modified versions of LibFuzzer and libprotobuf-mutator, which have been adapted to be Pishi-aware, enabling them to fuzz the macOS kernel in a structure-aware, feedback-driven manner.

Статья: https://r00tkitsmm.github.io/fuzzing/2024/11/08/Pishi.html
Слайды: https://powerofcommunity.net/poc2024/Meysam Firouzi, Pishi - Coverage-Guided Fuzzing of the XNU Kernel and Arbitrary KEXT.pdf
Инструмент: https://github.com/R00tkitSMM/Pishi/

 

[shrekushka]

Bookmarked.
I personally don't need the xnu specifics but very useful while moving from theory to practice with arm64.

1. save LR, push x16 + x17 for the ABI mandation.
2. .rept .endr